Strategic Cyber Defense: Which Way Forward?

Kenneth Geers

Cooperative Cyber Defence Centre of Excellence

U.S. Naval Criminal Investigative Service

ABSTRACT

Cyber security has evolved from a technical discipline to a strategic, geopolitical

concept. The question for national security thinkers today is not how to protect

one or even a thousand computers, but millions, including the “cyberspace”

around them.

Strategic challenges require strategic solutions. This article considers four

nation-state approaches to cyber attack mitigation.

1. Technology: Internet Protocol version 6 (IPv6)

2. Doctrine: Sun Tzu‟s Art of War

3. Deterrence: can we prevent cyber attacks?

4. Arms control: can we limit cyber weapons?

These threat mitigation strategies fall into different categories. IPv6 is a

technical solution. Art of War is military. The third and fourth strategies are

hybrid: deterrence is a mix of military and political considerations, while arms

control is a political/technical approach.

Technology and doctrine are the most likely strategies to provide short-

term improvement in a nation‟s cyber defense posture. Deterrence and arms

control, which are more subject to outside politcial influence and current events,

may offer cyber attack mitigation but only in the longer-term.

INTRODUCTION

Cyber security has quickly evolved from a technical discipline to a strategic con-

cern. In 2000, information technology (IT) played no role whatsoever in NATO‟s

Strategic Concept. When the document was rewritten in 2010, cyber attacks were

deemed capable of threatening “Euro-Atlantic prosperity, security and stability.”1

Today, all political and military conflicts have a cyber dimension, whose

size and impact are difficult to predict. From the propaganda war over Chechnya

in the 1990s to the cyber assault on Estonia in 2007, from Code Red in 2001 to

the ongoing fallout from Stuxnet, world leaders have been personally involved in

cyber attack and defense issues.

In 1948, Hans Morgenthau wrote that national security depends on the in-

tegrity of a nation‟s borders and its institutions.2 However, as our national critical

infrastructures, including everything from elections to electricity are compute-

rized and connected to the Internet, cyber attacks may evolve from a corollary of

real-world disputes to a lead role in future conflicts. The nature of a security

threat has not changed, but the Internet provides a new delivery mechanism that

can increase the speed, scale, and power of an attack.

Military planners have begun to move beyond the technical, tactical as-

pects of cyber security – such as how to configure a firewall or monitor an intru-

sion detection system – to defending the cyberspace of a nation-state. This article

examines four strategic approaches to cyber attack threat mitigation:

1. Technology: can Internet Protocol version 6 (IPv6) improve strateg-

ic cyber defense?

2. Doctrine: can the world‟s best military treatise – Sun Tzu‟s Art of

War – encompass cyber warfare?

3. Deterrence: is it possible to prevent cyber attacks?

4. Arms control: can we limit cyber weapons?

These four strategies fall into different categories. IPv6 is a technical solu-

tion; Art of War is military. The third and fourth are hybrid: deterrence is a mix of

military and political considerations, while arms control is a political/technical

approach.

1 “Active Engagement…” 2010.

2 Morgenthau, 1948.

1. TECHNOLOGY

Vint Cerf, one of the Internet‟s inventors, confessed that security was not an im-

portant consideration in its original design. If he could start over, “I would have

put a much stronger focus on authenticity or authentication.”3

First and foremost, governments will seek to mitigate the threat of cyber

attacks through new and improved technology. This is a logical approach: it is

best to fix a technical problem with a technical solution. In 2011, the strongest

candidate to have a strategic impact is IPv6, which is replacing IPv4 as the new

“language” of computer networks.

IPv6 has a high learning curve and the pace of IPv6-specific application

development has been slow. Nonetheless, most governments and large organiza-

tions understand that the technology is superior to IPv4, and have made the transi-

tion a priority. In the U.S., federal agencies are required to enable IPv6 on public-

facing websites by 2012 and on internal networks by 2014.

IPv6 instantly solves the world‟s shortage of computer addresses. IPv4 has

around 4 billion addresses, which are insufficient for our computing needs today.

IPv6, by contrast, has 50 octillion addresses for every human on planet Earth! In

the military, every bullet and stick of butter will have its own, permanently-

associated number. In a nation, the same could apply to people – according to

Chinese Internet Society chairwoman Hu Qiheng, “there is now anonymity for

criminals on the Internet in China … with the China Next Generation Internet

project, we will give everyone a unique identity on the Internet.”4

From a law enforcement and counterintelligence perspective, IPv6 could

help to solve the problem of anonymous cyber attacks. However, human rights

groups fear that governments will use this new capability to quash political dis-

sent by reducing online anonymity and privacy.

IPv6 possesses better security features than IPv4, chief among them man-

datory support for Internet Protocol Security (IPSec), a group of communications

protocols used to authenticate and encrypt Internet traffic. The use of IPSec under

IPv6 is not required but its inherent presence gives network security administra-

tors a powerful weapon in their arsenal against hackers.

Over time, the percentage of Internet traffic that is encrypted is constantly

on the rise. Eventually everything on the Web could be unreadable to third par-

ties, including network security personnel. Therefore, the need for the authentica-

tion mechanisms inherent in IPSec will also rise in order to know with greater

certainty with whom one is communicating.

3 Menn, 2011.

4 Crampton, 2006.

One of the most unsettling aspects of IPv6 is that during the necessarily-

long transition period from IPv4 there will be an increased “attack surface” as

hackers exploit vulnerabilities in both IP languages at once. But when the switch

is complete, IPv6 appears to have the potential to reduce the most important ad-

vantage of a cyber attacker today – anonymity – which in turn could improve the

state of strategic cyber security.

2. DOCTRINE

The establishment of U.S. Cyber Command in 2010 confirmed that cyberspace –

along with land, sea, air and space – is a new domain of warfare.5 Computers are

not only a target but also a weapon. Therefore military thinkers must find a way to

incorporate cyber attack and defense into military doctrine as soon as possible.

The world‟s most influential military treatise is Sun Tzu‟s Art of War. Its

compelling and adaptive wisdom has survived myriad revolutions in technology

and human conflict. Art of War tactics and strategies have been successfully ap-

plied to other disciplines including business, sports, and personal relationships.

Future cyber commanders will also find Sun Tzu‟s guidance beneficial.

For example, on defense, Sun Tzu warns leaders never to rely on the good inten-

tions of others or to count on best-case scenarios.6 This is sound advice in cyber-

space because computers are attacked from the moment they connect to the Inter-

net.7

The Art of War teaches us to rely not on the likelihood of the enemy‟s

not coming, but on our own readiness to receive him; not on the chance

of his not attacking, but rather on the fact that we have made our position

unassailable. Art of War “VIII. Variation in Tactics”

On offense, cyber attacks are likely to play a lead role in future wars,

where the nature of the fight could be above all over IT infrastructure. A cyber-

only war might even please Sun Tzu, who argued that the best leaders can attain

victory before combat is necessary.

The best thing of all is to take the enemy‟s country whole and intact …

supreme excellence consists in breaking the enemy‟s resistance without

fighting. Art of War “III. Attack by Stratagem”

5 Pellerin, 2010.

6 Sawyer, 1994.

7 Skoudis, 2006.

In theory, cyber warfare might be a good thing for the world if future conflicts are

shorter and cost fewer lives, which could facilitate economic recovery and post-

war diplomacy.

There are many aspects of cyber conflict, however, that are truly revolu-

tionary, and for which it may be difficult to write military doctrine. Here are no

fewer than ten to consider:

1. The Internet is an artificial environment that can be shaped in

part according to national security requirements.

2. The blinding proliferation of technology and hacker tools makes

it impossible to be familiar with all of them.

3. The proximity of adversaries is determined by connectivity and

bandwidth, not terrestrial geography.

4. Software updates and network reconfiguration change cyber bat-

tlespace unpredictably and without warning.

5. Contrary to our historical understanding of war, cyber conflict

favors the attacker.

6. Cyber attacks are flexible enough to be effective for propaganda,

espionage, and the destruction of critical infrastructure.

7. The difficulty of obtaining reliable cyber attack attribution les-

sens the credibility of deterrence, prosecution and retaliation.

8. The “quiet” nature of cyber conflict means that a significant bat-

tle could take place with only the direct participants witting.

9. The dearth of expertise and evidence can make victory, defeat,

and battle damage a highly subjective undertaking.

10. There are few moral inhibitions to cyber attacks because they

relate primarily to the use and abuse of data and computer

code; so far, there is little perceived human suffering.

The world‟s top military thinkers, including Sun Tzu, can help modern or-

ganizations fill the gaping holes in their cyber defenses, but it will take many

years to incorporate all of the revolutionary aspects of cyber conflict into military

doctrine.

3. DETERRENCE

World leaders have begun to look beyond reactive, tactical cyber defense to

proactive, strategic cyber defense, which may include international military deter-

rence.

Deterrence theory gained prominence during the Cold War when the Unit-

ed States and Soviet Union created enough firepower in the form of nuclear wea-

pons to destroy human civilization on our planet. The American military strategist

Bernard Brodie wrote that, in the nuclear era, the purpose of armies had shifted

from winning wars to preventing them.8

Cyber attacks per se do not compare to a nuclear explosion. However, as a

powerful means to a wide variety of political and military ends, they pose an in-

creasing threat to international security. In 2010, for example, the Stuxnet worm

demonstrated that computer code alone is capable of destroying physical infra-

structure such as nuclear centrifuges.9

Pentagon officials have therefore begun to articulate a nascent cyber attack

deterrence policy. National security insiders now believe that computer sabotage

could even be an act of war which could trigger a conventional military response:

“If you shut down our power grid, maybe we will put a missile down one of your

smokestacks.”10

There are two primary strategies, according to deterrence theory, available

to nation-states – proactive denial and reactive punishment. Both strategies have

three basic requirements – capability, communication, and credibility.11

Deterrence by denial is a strategy in which an adversary is physically pre-

vented from acquiring a threatening technology. This is the preferred option in the

nuclear sphere because there is no practical defense against a nuclear explosion,

which can demolish reinforced concrete buildings three kilometers away.12

Deter-

rence by denial is a philosophy embodied in the Non-Proliferation Treaty (NPT)

and a major reason behind current international tension with North Korea and

Iran.13

Unfortunately, deterrence by denial is unlikely to succeed against cyber at-

tacks. Nuclear technology is difficult to acquire, but hacker tools and techniques

are not. Amazingly, there is little visible difference between expertise in computer

network defense and computer network offense – they are essentially one and the

8 Brodie, 1946.

9 Broad et al, 2011.

10 Gorman & Barnes, 2011.

11 Interview with Prof. Peter D. Feaver of Duke University.

12 Sartori, 1983.

13 Shultz et al., 2007.

same discipline. A good hacker may be described as someone who simply under-

stands your computer network better than you do, and uses that knowledge for

nefarious purposes.

The second deterrence strategy, reactive punishment, seeks to prevent an

attack before it is launched by threatening painful or even fatal retaliation. In cy-

berspace, this is the only realistic option.

There are two vexing cyber security challenges, however, which under-

mine the credibility of deterrence by punishment – attacker attribution and attack

asymmetry. First, the byzantine, international nature of the Internet almost guar-

antees that the “anonymous hacker” problem will not go away soon. Second, there

are countless ways to show the asymmetric power of networks, such as in 2001

when a single teenager hacker, MafiaBoy, caused over $1 billion in corporate

losses after a successful denial-of-service attack.14

A final comparison to the Cold War relates to the concept of Mutually As-

sured Destruction (MAD). By 1968, Soviet mastery of nuclear technology made

one-sided nuclear deterrence meaningless,15

and the two Superpowers were forced

into a position of mutual deterrence. If cyber attacks are both effective and im-

possible to eradicate, we may now live in a world of Mutually Assured Disrup-

tion.16

4. ARMS CONTROL

Former CIA Director Michael Hayden posed this question during a 2010 Black

Hat keynote address – “Why might it be better to bomb a factory than to hack it?”

No one responded. Hayden explained that one can choose to bomb a factory at

any time, but sophisticated cyber attacks take months if not years of painstaking

subversion. In turn, this means that even during peacetime, nations may hack their

adversaries‟ critical infrastructures in order to prepare for war. This is not only a

recipe for perpetual network chaos, but it also seems likely that the first shots of

the next World War have already been fired.

Given the dim prospects for cyber attack deterrence and a looming cyber

arms race, world leaders may decide to negotiate a cyber arms control treaty or a

non-aggression pact for cyberspace.

The Russian government has long argued that an agreement similar to

those which have been signed for weapons of mass destruction (WMD) could be

14

Verton, 2002. 15

This refers to the Soviet Union‟s ability to mass produce nuclear weapons, and to compete in the

nuclear arms race. 16

Pendall, 2004; Derene, 2009.

helpful in securing the Internet.17

In 1998, Russia successfully sponsored United

Nations Resolution 53/70, which stated that while modern information and com-

munication technology (ICT) offers civilization the “broadest positive opportuni-

ties” it was nonetheless vulnerable to misuse by criminals and terrorists.18

No pre-Internet model is a perfect fit for cyberspace or cyber conflict. But

there are three aspects of the 1997 Chemical Weapons Convention (CWC), which

compels signatories to destroy CW stockpiles and forbids them from producing

any more, that could be beneficial: universal appeal, political will, and practical

assistance.

First, everyone is a neighbor on the Internet but the jurisdiction of law en-

forcement ends every time a network cable crosses a border. In the short term, this

is a major obstacle to cyber attack mitigation, but as politicians, diplomats and the

public grow more Internet-savvy, there may be a common realization that the only

way to solve this problem is through closer international cooperation. CWC is less

than 15 years old, but it has already been ratified by 98% of the world‟s govern-

ments and encompasses 95% of the world‟s population.

Second, strategic cyber defense may eventually receive a boost from the

world‟s political leadership. In 1997, Presidents Bill Clinton and Boris Yeltsin

decided to issue a joint statement endorsing CWC in order to “banish poison gas

from the Earth.”19

The perceived threat from cyber attacks is growing, based on

nation-state capabilities as well as the fear that terrorists will master the art of

hacking. The 2010 attack on Google was serious enough to begin discussion in

the U.S. on the creation of an ambassador-level post, modeled on the State De-

partment‟s counterterrorism coordinator, to oversee international cyber security

efforts.20

Third, CWC offers practical aid to its members in the form of advocacy,

weapons destruction and the advancement of peaceful uses for chemistry. A cyber

weapons treaty could create an internationally-staffed institution to help signato-

ries improve cyber defenses, respond to attacks and promote peaceful uses for

computer science. Computer security is not an easy discipline – proper configura-

tion, management and incident response require more resources than most organi-

zations and even many countries now have available.

There are two essential aspects of arms control, however, that are difficult

to apply in cyberspace at this time: prohibition and inspection.

First, it is difficult to prohibit something that is hard to define, such as ma-

licious code. Anti-malware firm Kaspersky reported that it “detected and neutra-

lized” over 200 million “malicious programs” in the month of March 2011

17

Markoff & Kramer, 2009. 18

“53/70…” 1999. 19

“The President‟s News Conference...” 1997. 20

Gorman, 2010.

alone.21

But this can only be an estimate of the true number in existence, and it

likely includes a wide range of everything from true nation-state attacks to simple,

annoying advertisements. And if somehow an organization could be malware-

free, professional hackers are adept at using legitimate paths to network access –

such as by exploiting a default or easily-guessed password – to undermine the

security of a target network.

Second, it is hard to inspect something as big as cyberspace. In CWC,

there are around 5,000 industrial facilities worldwide that are subject to inspection

at any time – this is a large but manageable number. Compare that to a single

USB Flash drive which can now hold up to 256 GB or 2 trillion bits of data, or to

the 439 million Internet-connected computers located in the U.S.,22

or to modern

software in general, which is so complex and its lines of code so numerous that it

is almost impossible to understand completely.23

In theory, a cyber weapons convention could require inspection at the In-

ternet Service Provider (ISP) level. However, such regimes are already common-

place, such as China‟s Golden Shield Project, the European Convention on Cy-

bercrime, Russia‟s SORM,24

and the USA PATRIOT Act. Each is unique in terms

of guidelines and enforcement, but all face the same problem of overwhelming

traffic volume.

One significant but politically difficult step would be the international in-

strumentation and observation of the Internet and its network traffic flows. This

may seem to be an extreme solution, but it could be the only way to slow fast-

moving cyber threats such as botnets and distributed denial-of-service attacks.

CONCLUSION

Cyber security has evolved from a tactical to a strategic concern, for which

nation-states must develop strategic cyber defenses. This article highlights four –

technology, doctrine, deterrence, and arms control.

1. Technology: Next-generation Internet technologies such as IPv6

can redress some of the Internet‟s current security shortcomings.

However, IPv6 is not a silver bullet, and it will unfortunately

create some new problems to solve, including a long and danger-

ous transition phase from IPv4. Still, IPv6 represents a logical at-

21

“Monthly Malware Statistics…” 2011. 22

The World Factbook, Central Intelligence Agency, 2011. 23

Cole, 2002. 24

Система Оперативно-Розыскных Мероприятий or “System for Operative Investigative

Activities.”

tempt to solve a technical problem with a technical solution, and it

could help to reduce the chief advantage of cyber attackers today –

anonymity.

2. Doctrine: Cyber attack and defense represent a revolution in na-

tional security affairs similar to the advent of artillery, rockets and

airplanes. Even the world‟s most influential military treatise, Sun

Tzu‟s Art of War, has difficulty encompassing many basic aspects

of cyber war. Nonetheless, national security leaders must rewrite

military doctrine so that people and processes are better aligned

and resourced for cyber conflict, and Art of War can help.

3. Deterrence: U.S. military leaders have begun to articulate a deter-

rence strategy for cyberspace, but two vexing cyber security chal-

lenges diminish its credibility. First, it is difficult to prevent an ad-

versary from acquiring effective hacker tools and techniques.

Second, hackers are often able to conduct powerful attacks even

while remaining anonymous, which undermine the threat of prose-

cution or retaliation.

4. Arms control: The persistence of ubiquitous IT vulnerabilities

coupled with the proliferation of hacker tools may eventually force

governments to sign a cyber arms control treaty or a non-

aggression pact for the Internet. But two elements of arms control

seem difficult to apply to cyber weapons: prohibition and inspec-

tion. It is difficult to define “malicious” code and it is hard to in-

spect something as big as cyberspace.

In summary, investments in technology and doctrine are more reliable than

deterrence and arms control because they are less subject to the whims of politics

and current events. A cyber arms control treaty, despite its challenges, would have

a key advantage over a deterrence policy alone – namely, some kind of technical

verification regime. Deterrence is exclusively a military/political approach that

does not, by itself, address the most significant advantage of a cyber attacker to-

day – anonymity.

__________________

REFERENCES

“53/70: Developments in the field of information and telecommunications in the

context of international security,” (4 Jan 1999) United Nations General As-

sembly Resolution: Fifty-Third Session, Agenda Item 63.

“Active Engagement, Modern Defence: Strategic Concept for the Defence and

Security of the Members of the North Atlantic Treaty Organisation,” (2010)

NATO website: www.nato.int.

Broad, W.J., Markoff, J. & Sanger, D.E. (15 Jan 2011) “Israeli Test on Worm

Called Crucial in Iran Nuclear Delay,” New York Times.

Brodie, B. (1946) THE ABSOLUTE WEAPON: Atomic Power and World Order

(New York: Harcourt, Brace and Co) 76.

Cole, E. (2002) Hackers Beware (London: New Riders) 727.

Crampton, T. (19 Mar 2006) “Innovation may lower Net users‟ privacy,” The

New York Times.

Derene, G. (2009) “Weapon of Mass Disruption,” Popular Mechanics 186(4) 76.

Geers, K. (2011) Strategic Cyber Security (Tallinn: Cooperative Cyber Defence

Centre of Excellence).

Gorman, S. (23 Mar 2010) “U.S. Aims to Bolster Overseas Fight Against Cyber-

crime,” The Wall Street Journal.

Gorman S. & Barnes J. (31 May 2011) “Cyber Combat: Act of War,” The Wall

Street Journal.

Markoff, J. & Kramer, A.E. (27 Jun 2009) “U.S. and Russia Differ on a Treaty for

Cyberspace,” The New York Times.

Menn, J. (11 Oct 2011) “Founding father wants secure „Internet 2‟,” The Finan-

cial Times.

“Monthly Malware Statistics: March 2011,” (2011) Kaspersky Lab:

www.kaspersky.com.

Morgenthau, H.J. (1948) Politics among nations: the struggle for power and

peace (NY: A. A. Knopf) 440.

Pellerin, C. (18 Oct 2010) “Lynn: Cyberspace is the New Domain of Warfare,”

American Forces Press Service.

Pendall, D.W. (2004) “Effects-Based Operations and the Exercise of National

Power,” Military Review 84(1) 20-31.

“The President‟s News Conference with President Boris Yeltsin of Russia in Hel-

sinki,” (21 Mar 1997) The American Presidency Project, UC Santa Barbara:

www.presidency.ucsb.edu.

Sartori, L. (1983) “The weapons tutorial-Part five: When the bomb falls,” Bulletin

of the Atomic Scientists 39(6) 40-47.

Sawyer, R.D. (1994) Sun Tzu: Art of War (Oxford: Westview Press).

Shultz, G.P., Perry, W.J., Kissinger, H.A., & Nunn, S. (4 Jan 2007) “A World

Free of Nuclear Weapons,” The Wall Street Journal.

Skoudis, E. (2006) Counter Hack Reloaded: a Step-By-Step Guide to Computer

Attacks and Effective Defenses (NJ: Prentice Hall) 1.

Verton, D. (2002) The Hacker Diaries: Confessions of Teenage Hackers (NY:

McGraw-Hill/Osborne) xvii.